Having trouble verifying JWTs created by other sources #785
Replies: 1 comment 8 replies
-
The ASN1 bit seems unnecessary. You only need to deal with ASN.1 when you are dealing with something in ASN.1 format, and JWTs are never ASN.1 encoded as far as I know. What coulud be ASN.1 encoded are the keys themselves. For example, your key in the code I wasn't quite sure what the intention of that ASN.1 deal was (sorry, didn't look through the AWS document in its entirety), but just for comparison, this works without any problems: package jwx_test
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"encoding/json"
"fmt"
"log"
"testing"
"time"
"github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jwt"
)
func TestGH785(t *testing.T) {
privateKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
panic(fmt.Errorf("failed to generate key pair: %w", err))
}
exp := time.Now().Add(time.Hour)
nbf := time.Now()
iat := time.Now()
tok, err := jwt.NewBuilder().
Expiration(exp).
NotBefore(nbf).
IssuedAt(iat).
JwtID(`JTI`).
Subject(`SUB`).
Issuer(`Appian Corporation`).
Claim(`hostname`, `^licensing-ctrl.dev.appial-sites.net$`).
Build()
if err != nil {
panic(fmt.Errorf(`failed to create token: %w`, err))
}
signed, err := jwt.Sign(tok, jwt.WithKey(jwa.ES512, privateKey))
if err != nil {
panic(fmt.Errorf(`failed to sign token:%w`, err))
}
log.Printf("%s", signed)
parsed, err := jwt.Parse(signed, jwt.WithKey(jwa.ES512, &privateKey.PublicKey))
if err != nil {
panic(fmt.Errorf(`failed to parse token:%w`, err))
}
// going to serialize it for ease-of-view
buf, _ := json.MarshalIndent(parsed, "", " ")
log.Printf("parsed: %s", buf)
} |
Beta Was this translation helpful? Give feedback.
-
Hello!
I'm using AWS KMS to sign JWTs and am trying to use this library to verify and validate them. I've been following the "Sign a JWT" section of https://aws.amazon.com/blogs/security/how-to-verify-aws-kms-signatures-in-decoupled-architectures-at-scale/ to implementing the signing. I'm able to verify the signed JWTs using the steps in the "Signature verification in Golang" section. I'm also able to verify JWTs signed directly w/
ecdsa.SignASN1(...)
. I'm not, however, able to verify the signed JWTs usingjwt.Parse(...)
. Doing so results in the following error:I am, however, able to verify JWTs built and signed w/
jwt.NewBuilder()...Build()
andjwt.Sign(...)
. Conversely, I'm not able to verify JWTs built and signed w/jwt.NewBuilder()...Build()
directly w/ecdsa.VerifyASN1(...)
.I've attached a simple program that signs JWTs using
ecdsa.SignASN1(...)
,KMS:Sign
, andjwt.Sign(...)
and attempts to verify them using bothecdsa.VerifyASN1(...)
andjwt.Parse(...)
. In all cases, the JWT headers and payloads are the same, so the issue must be related to how I'm handling the signatures. What am I doing wrong?Thanks!
Beta Was this translation helpful? Give feedback.
All reactions